I’ve been following a story that’s deeply troubling, and I think it’s a crucial lesson for anyone who handles sensitive data.
Channel 4 recently reported that Kennedys Law LLP, the firm managing the Church of England’s abuse redress scheme, sent a mass email that accidentally exposed the names and email addresses of nearly 200 survivors. This was a simple CC instead of BCC mistake, which has caused catastrophic consequences .
One survivor described it as “a new low,” and another said the news caused a physical reaction, shaking from shock and anxiety. This wasn’t just a technical glitch, for them, it was a profound violation of trust.
The Fallout
Kennedys called it “human error,” but for those affected, the impact is anything but minor. The firm has apologised and is investigating, and the Church of England has expressed its concern. The Bishop of Winchester was clear, saying that while it wasn’t the Church’s direct fault, they wouldn’t shirk their moral responsibility to support survivors.
This incident highlights something we often forget, for vulnerable individuals, a data breach isn’t just about data. It’s a personal violation that can feel like, or lead to, a re-traumatisation. For survivors who have already gone through so much, finally sharing their story and expecting to remain anonymous, the last thing you expect is to have your confidentiality compromised.
What This Means for All of Us
This isn’t just a story about a law firm or a church. It’s a powerful reminder that every organisation handling personal data has a moral duty to prioritise human dignity.
It’s not enough to just comply with policy.
We need to:
- Treat data with empathy. It’s crucial to categorise data by sensitivity level. When handling information for high-risk individuals, use specialised tools like email encryption, send individual emails, and enforce strict review protocols. A simple double-check can prevent immense harm.
- Respond with compassion. When an error occurs, acknowledge the human impact immediately. Offer real support, not just a generic apology.
- Educate our teams. Everyone must understand the vulnerability of the people whose data they handle. A yearly e-learning course isn’t enough. Provide your staff with empowering, bespoke training that helps them truly grasp the emotional weight and consequences of their actions.
Confidentiality for survivors isn’t a nice to have, it’s essential for their safety and emotional recovery. This incident should be a wake-up call for us all to be more vigilant, more empathetic, and more human in how we protect the data we’re entrusted with.
In Summary
This breach by a prestigious law firm underscores a critical truth, data protection isn’t only about policy compliance, it’s about human dignity. For survivors of abuse, confidentiality isn’t optional, it’s fundamental to their safety and emotional recovery.
May this event spur organisations everywhere to prioritise empathy and vigilance in how they handle personal data, and to never underestimate the profound consequences when things go wrong.
If you need support with data protection get in touch with us directly.
